Method for producing a common key in two devices, in order to implement a common cryptographic procedure, and associated apparatus

ABSTRACT

The invention relates to a method and an apparatus for producing a key that is common to two devices that belong to different sets and are intended to implement a common cryptographic procedure. Each device is assigned a mother key (KC, KP) and a daughter key (KP ck , KC pi ). The daughter key is developed on the basis of the mother key of the other device and of an identification datum specific to the device. When the procedure is performed, the two devices exchange their identification datum (ck, pi), which when processed with the aid of the mother key held by the device will yield the daughter key (KC pi , KP ck ) of the other device. The pair of keys formed by the daughter key already held and by the daughter key that is calculated constitutes the common key.

FIELD OF THE INVENTION

The invention relates to a method for producing a common key K assignedto an arbitrary device CE_(k) of a set of first devices CE and to anarbitrary device PME_(i) of a set second devices PME so that these twodevices will implement a common cryptographic procedure.

DESCRIPTION OF RELATED ART

A conventional method consists of assigning all the first devices CE acommon mother key, and all the second devices PME a different daughterkey, obtained by diversification of the mother key by means of anidentification datum of the second device in question.

A hierarchy is thus established between the first and second devices,since the level of security of the first devices is higher than that ofthe second devices.

During a session between a first device CE and a second device PME, thelatter transmits its identification datum to the former, in such a waythat the first device calculates the daughter key of the second deviceon the basis of its mother key; this daughter key constitutes the commonkey K.

This method is satisfactory in the event of attempted fraud at one ofthe second devices PME. The violation of the second device PME willallow the defrauder to discover only one daughter key at best, but notto learn the mother key, which would be the only one that could allowhim to produce new, fraudulent daughter keys compatible with the motherkey in order to fabricate fraudulent second devices PME.

However, if the defrauder violates one of the first devices CE, there isthe risk that he can gain access to the mother key.

SUMMARY OF THE INVENTION

The problem the invention seeks to solve is to propose a method of thetype defined at the outset above that offers good immunity to violationof an arbitrary one of the two devices PME and CE between which a commoncryptographic procedure takes place.

To that end, the method of the invention includes the steps comprisingassigning a first mother key KC to each of said first devices CE, and asecond mother key KP to each of said second devices PME; assigning atleast one daughter key KP_(ck) to each first device CE_(k), based on thesecond mother key KP relating to the second devices PME_(i) and on anidentification datum ck assigned to this first device CE_(k) ; assigningat least one daughter key KC_(pi) to each second device PME_(i), basedon the first mother key KC relating to the first devices CE_(k) and onan identification datum pi assigned to the second device PME_(i), eachtime a cryptographic procedure between a first device PME_(i) and asecond device CE_(k) is requested; transmitting the identification datumpi, ck from each of these two devices to the other device; in each ofthese two devices, developing a daughter key KP_(ck), KC_(pi), based onthe mother key KP, KC of the applicable device and on the identificationdatum ck, pi received from the other device; in each of these twodevices, selecting the daughter key KC_(pi), KP_(ck) corresponding tothe identification datum pi, ck received from the other device; andassociating the two daughter keys constituted by the daughter keyKP_(ck) ; KC_(pi) developed on the occasion of this procedure and thedaughter key selected KC_(pi) ; KP_(ck) to form a pair constituting saidcommon key K.

Thus, surprisingly, the most secret data, that is, the mother keys KC,KP, are distributed in the first and second devices, moreover regardlessof the difference in hierarchical level that may exist between the twosets of devices and may be associated with the application in question(as an example, between a data base server and a terminal that providesaccess to it, or between an electronic cash register of a merchant andan electronic billfold of a customer). With respect to the nature of thekeys held by the first and second devices, both devices have the samelevel of security.

Violating a first or second device PME_(i) at best allows the defrauderto procure one of the mother keys, KP, but not the other, KC. To theextent that the daughter keys KC_(pi) present in this device PME_(i) arevalid only for that particular device, he cannot use them to put theminto new fraudulent devices; on the contrary, he would have to becapable of recreating, for each fraudulent device, the indispensabledaughter keys KC_(pi) that are compatible with the identification datumpi of that device.

The invention also relates to the apparatus associated with thisprocedure.

BRIEF DESCRIPTION OF THE DRAWINGS

Further details and advantages of the invention will become apparent inthe ensuing description of a preferred, but not limiting, embodiment,taken in conjunction with the accompanying drawings, in which:

FIG. 1 shows two master keys KCM and KPM, and their breakdown into aplurality of mother keys;

FIG. 2 shows how each mother key KP_(i) is in turn broken down into aplurality of daughter keys KP_(isj), and how one assigns a plurality ofthese daughter keys to an electronic cash register KC₄ ;

FIG. 3 shows a billfold family, No. 19, in which each billfold has onecommon mother key KP₁₉ and a plurality of daughter keys KC_(ipj), and agroup, No. 4, of electronic cash registers, each of which has one commonmother key KC₄ and a plurality of daughter keys KP_(icj) ; and

FIG. 4 shows one way of producing a diversified key K_(1d) based on abase key K₁ and a diversification datum E.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The exemplary embodiment shown takes into consideration two types ofdevices, the first being an electronic cash register CE disposed in amerchant's point of sale terminal, and the second device PME being anelectronic billfold, constituted by a portable object in the form of acard of the bank card type, and assigned to a potential customer. Eachcash register, like each billfold, includes information processingmeans, for example in the form of an associated microprocessor,associated on the same chip with a self-programmable nonvolatile memory,such as that defined by French Patent No. 2461301 and its U.S.equivalent U.S. Pat. No. 4,382,279.

As shown in FIG. 1, two master keys KCM and KPM are defined, which areat the highest security level in the hierarchy of the various keys used.Advantageously, each master key is double, or in other words isconstituted of two words 1,2 (each of 64 bits, for example), and givesrise to a plurality of mother keys which are also double. Thus themaster key KCM gives rise to four mother keys KC₁ -KC₄ relating to thecash registers C, while the master key KCP gives rise to 64 mother keysKP₁ -KP₆₄ relating to the billfold P.

One advantageous diversification principle, among others, is shown inFIG. 4. It is based on the use of what is known as the "triple DES"algorithm (for Data Encryption Standard), in which a diversificationdatum E constitutes the input variable of a first algorithm DES, and theresult of calculation constitutes the input variable of a secondalgorithm DES⁻¹, which is the inverse of the first, and the secondresult of calculation constitutes the input variable of a thirdalgorithm DES that is identical to the first. The algorithm DES causes akey K₁₁ to act, while the algorithm DES⁻¹ causes a key K₁₂ to act.Advantageously, K₁₁ and K₁₂ constitute the two single keys of one doublekey K₁. They are made up, for example, of one 64-bit word. The result ofthe "triple DES" algorithm is a key K_(1d) that is diversified comparedwith the key K₁ : a different diversified key K_(1d) corresponds to eachdifferent value of E. The key K_(1d) is of the same size as the keys K₁₁and K₁₂.

The four mother keys KC₁ to KC₄ are obtained, for example, by the methodof FIG. 4, using the ordinal number 1-4 of these keys as thediversification datum E and using the master key KCM as the key K₁. Toproduce double keys, the diversified key K_(1d) constituting the resultof calculation is used as a diversification datum for a secondcalculation, which yields a second diversified key K2d; the pair of keysK_(1d), K2d thus produces forms the double key sought. The sixty-fourmother keys KP₁ -KP₆₄ are produced in the same way.

The mother keys KC₁ -KC₄ define four groups of cash registers, and allthe cash registers of a given population of cash registers, for instanceincluding 100,000 cash registers, are distributed among these fourgroups. As will be more apparent hereinafter, the number of groups hasbeen chosen to be low, because it directly affects the bulk of thememory zone of each billfold assigned to store the daughter keys.Classifying the various cash registers in the various groups can be doneas follows: The binary numbers 00, 01, 10 and 11 are assigned to thefour groups, and all the cash registers in which the two leastsignificant bits of their serial number are 00 are assigned to the group00, and so forth for the other cash registers.

In a similar way, the 64 mother keys KP₁ -KP₆₄ define 64 families ofbillfold; ten million billfolds, for example, comprise the billfoldpopulation and are distributed among the various families. Thedistribution is done using the six least significant bits of the serialnumber of each billfold.

Such a classification is shown in FIG. 3, where the group No. 4 of cashregisters defined by the mother key KC₄ contains one-fourth of the cashregisters, that is, 25,000 cash registers, here numbered from 1 to25,000, for the sake of simplicity. In the same way, the billfold groupNo. 19 defined by the mother key KP₁₉ contains a fraction correspondingto 1/64of all the billfolds, or approximately one hundred fifty thousandbillfolds, numbered here from 1 to 150,000, for the sake of simplicity.

The way in which the daughter keys are produced from the mother keyswill be described with reference to FIG. 2. For example, the mother keyKP₁ is diversified into one hundred thousand daughter keys KP_(1c1) toKP_(1c100),000, using the entire serial number of the various cashregisters as the diversification datum E; conventionally, such a serialnumber occupies from four to five 8-bit bytes. The mother keys KP2-KP64are diversified in the same way, on the basis of the serial numbers ofthe cash registers. For the diversification, the method of FIG. 4 basedon the "triple DES" algorithm is advantageously used, in which the keysK₁₁ and K₁₂ respectively correspond to the two single keys thatconstitute each mother key KP_(i).

The diversification of the mother keys KC_(1-KC) ₄ is done in comparablefashion, based on the serial numbers of the various billfolds, toproduce daughter keys KC_(1p1) -KC_(1p10),000,000 through KC_(4p1)-KC_(4p10),000,000.

How each cash register and each billfold is personalized by assigning ita unique set of keys will now be described. Cash register No. k, whichfor example belongs to the group of cash registers No. 4 (FIG. 3),initially includes one mother key KC₄, which is the mother key of thegroup. Next, it includes 64 daughter keys, KP_(1ck) -KP_(64ck). This setof daughter keys has been constituted as shown in FIG. 2: In each of the64 sets of daughter keys originating from the 64 mother keys KP₁ -KP₆₄relating to the billfold families, uniquely the daughter key with thesubscript ck is selected. In all, cash register No. k thus possesses aset of 65 keys, one of which is the double mother key and the others ofwhich are the single daughter keys. FIG. 3 also shows the contents ofthe sets of keys for cash registers numbered 1-25,000 of the same group.

This process is continued in a similar manner to make up the set of keysof each billfold. For example, billfold No. i includes the mother keyKP₁₉ and the four daughter keys KC_(1pi) -KC_(4pi).

By comparing the contents of the set of keys of a billfold No. i and acash register No. k, one observes first of all that each contains only asingle mother key, KP₁₉ and KC₄, respectively, which indeed relates tothe type of device in question, that is, a billfold P and a cashregister C. Hence one will not find in the same set of keys both amother key KP_(i) and a mother key KC_(k), or in other words, keys thatderive directly from the master key KPM and keys that derive directlyfrom the master key KCM.

On the other hand, each set of keys of a first type of device containsdaughter keys that all originate in the same mother key of the secondtype of device, with the mother key being different for each daughterkey: thus billfold No. i contains four daughter keys KC_(1pi) -KC_(4pi)that come from the mother keys KC₁ -KC₄ relating to the cash registers,and in the same way, cash register No. k contains 64 daughter keysKP_(1ck) -KP_(64ck).

The use of these different keys will now be described, in connectionwith the particular application of an electronic billfold. In such anapplication, the handling of a transaction consists of debiting acertain amount from the billfold and crediting the same amount to thecash register of the merchant involved. For security reasons, it isstipulated that the credit to the cash register cannot be made untilafter debiting of the billfold, so as to prevent an illicit creation ofelectronic money to the detriment of the organization that issued thebillfold.

To that end, each billfold is arranged so as to generate a debitcertificate upon each transaction with a given cash register; thecertificate is the signature S of a message M, which is made up ofinformation relating to the transaction in question (identification ofthe customer, date, amount, etc.). The signature of the message is theresult of a calculation performed by a predetermined algorithm F, usingthe message and a key K as its input data. As for the cash register, itverifies the authenticity of the signature S transmitted by thebillfold. If the algorithm F is of the symmetrical type, then thisverification will require the same key K. If the signature is confirmed,then the cash register can record the credit corresponding to thetransaction.

In a highly advantageous way, the key K is calculated from two daughterkeys, one of which, KC_(4pi), being derived from the same mother key KC₄of the cash register No. k involved and diversified with the number ofthe billfold involved, and the other, KP_(19ck), being derivedsymmetrically from the mother key KP₁₉ of billfold No. i and diversifiedwith the number k of the cash register. For example, with reference toFIG. 4, the two daughter keys KC_(4pi) and KP_(19ck) make up the twokeys K₁₁ and K₁₂, and a random number, which is a function of the pair(cash register and billfold) and is always different from one session toanother, makes up the diversification datum E; hence a single sessionkey Ks is then constituted by the result K_(1d) of the calculation. Thiscalculation is done simultaneously in the cash register and in thebillfold. If one wishes to obtain a double session key, then one may forexample re-do the calculation of FIG. 4, this time using the singlesession key Ks already calculated as the diversification datum E.

The way in which the daughter keys KC_(4pi) and KP_(19ck) are madeavailable in the cash register No. k and in the billfold No. i will nowbe described. On the occasion of a transaction, the cash register No. kand the billfold No. i identify themselves to each other by exchangingtheir respective serial numbers pi, ck. Then, using its mother key KP₁₉and its serial number ck, the billfold calculates a daughter keyKP_(19ck), by the procedure described above (see the correspondingarrows in FIG. 3). In the same way, using its mother key KC₄ and theserial number pi, the cash register calculates a daughter key KC_(4pi).In addition, the billfold No. i, from the two least significant bits ofthe serial number ck of the cash register, calculates the group number 4to which the cash register belongs and looks in its memory for thedaughter key KC_(4pi) relating to that group. Cash register No. kproceeds in the same way to select its daughter key KP_(19ck). Thebillfold and the cash register then calculate the session key Ks, eachfrom the common pair KP_(19ck), KC_(4pi).

If a defrauder should gain possession of a billfold No. i and attempt toextract the set of keys from it, he would have at his disposal themother key KP₁₉, which would allow him to generate the daughter keyKP_(19ck), regardless of which cash register No. k he seeks access to.

However, he could not re-use the set of daughter keys KC_(1pi) -KC_(4pi)to insert it into a batch of fraudulent billfolds; these keys are infact specific to the billfold No. i. He would have to be capable ofcreating new daughter keys KC_(1pj) -KC_(4pj) that are adapted to newbillfold identification numbers pj; to do so, he would have to violatethe various cash registers in order to extract the mother keys KC₁ -KC₄from them.

In a less advantageous embodiment of the invention, only a single familyof billfold and/or a single group of cash registers is defined. In thatcase, each billfold and/or cash register contains the unique mother keyof the family or group and a single daughter key derived form the othermother key.

In another variant of the invention, a single master key is used togenerate all the mother keys of the billfold and the cash registers. Inthis case, one is assured that the mother keys are indeed different forthe billfold and the cash registers. For example, one could use the sixleast significant bits of the serial numbers of the billfold to generatetheir mother keys, and the two least significant bits of the serialnumbers of the cash register to generate their mother keys, with thebits selected having the same rank in the diversification datum E.

In another variant of the invention, no session key Ks is calculatedfrom the two daughter keys KC_(4pi) and KP_(19ck) selected by thebillfold and the cash register; instead, this pair of daughter keys isused directly for the common cryptographic procedure.

In another variant of the invention, the identification datum of anarbitrary device (billfold or cash register) is constituted by theordinal number of the family or group to which it belongs, rather thanby a number specific to that device.

The invention is applicable to all the levels in the hierarchy of anysystem for furnishing goods or services, for access to data bases, orfor a private or public exchange of data; the invention will serveequally well to manage either the dialogue between the supreme authorityof the system and all the devices that cooperate directly with it, orthe dialogue between two sets of devices on an intermediate level, or atthe lowest level with the final interlocutor.

The invention is applicable to any procedure that requires two devicesthat have a dialogue with one another to hold a common key, for instanceby encryption to protect the transmission of sensitive data, to generatea transaction certificate or a message signature, and so forth.

While this invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, the preferred embodiments of the invention as set forthherein, are intended to be illustrative, not limiting. Various changesmay be made without departing from the spirit and scope of the inventionas set forth herein and defined in the claims.

We claim:
 1. A method for producing a common key (K) assigned to anarbitrary device (CE_(k)) of a set of first devices (CE) and to anarbitrary device (PME_(i)) of a set of second devices (PME) so thatthese two devices will implement a common cryptographic procedure,characterized in that it includes the steps comprising:assigning a firstmother key (KC) to each of said first devices (CE), and a second motherkey (KP) to each of said second devices (PME); assigning at least onedaughter key (KP_(ck)) to each first device (CE_(k)), based on thesecond mother key (KP) relating to the second devices (PME_(i)) and onan identification datum (ck) assigned to this first device (CE_(k));assigning at least one daughter key (KC_(pi)) to each second device(PME_(i)), based on the first mother key (KC) relating to the firstdevices (CE_(k)) and on an identification datum (pi) assigned to thesecond device (PME_(i)), and each time a cryptographic procedure betweena first device (PME_(i)) and a second device (CE_(k)) is requested;transmitting the identification datum (pi, ck) from each of these twodevices to the other device; in each of these two devices, developing adaughter key (KP_(ck), KC_(pi)), based on the mother key (KP, KC) of theapplicable device and on the identification datum (ck, pi) received fromthe other device; in each of these two devices, selecting the daughterkey (KC_(pi), KP_(ck)) corresponding to the identification datum (pi,ck) received from the other device; and associating the two daughterkeys constituted by the daughter key (KP_(ck) ; KC_(pi)) developed onthe occasion of this procedure and the daughter key selected (KC_(pi) ;KP_(ck)) to form a pair constituting said common key (K).
 2. The methodof claim 1, further comprising:defining a plurality of groups (1-4) offirst devices (CE) and a plurality of families (1-64) of second devices(PME); assigning each group or family a different mother key (KC_(g) ;KP_(f)), each device of the group or family having the mother key of thegroup or family as its mother key; defining a plurality of daughter keys(KP_(gck)) in each first device (CE_(k)), based on the mother keys(KP_(f)) relating to the second devices and on its identification key(ck); defining a plurality of daughter keys (KC_(gpi)) in each seconddevice (PME_(i)), based on the mother keys (KC_(g)) relating to thefirst devices and on its identification key (pi); in the first andsecond devices and among the set of daughter keys held (KP_(fck) ;KC_(gpi)), selecting the one (KP_(19ck) ; KC_(4pi)) whose mother key(KP₁₉, KC₄) corresponds to the mother key held by the other device. 3.The method of claim 1, further comprising assigning a differentidentification datum to each device of a set of devices.
 4. The methodof claim 1, further comprising developing the first (KC_(g)) and second(KP_(f)) mother keys based on two respective different master keys (KCM,KPM).
 5. The method of claim 1, further comprising using an algorithm,for developing the aforementioned different keys, that implements twokeys (K₁₁, K₁₂) that as applicable comprise a master key or a duplicatemother key, or said common pair of daughter keys.
 6. An apparatus formanaging transactions or furnishing services and including a set offirst devices (CE) and a set of second devices (PME), an arbitrary firstdevice being arranged to exchange transactions or services with anarbitrary second device by implementing a common cryptographic procedureby means of a session key (K_(s)) common to these two devices,characterized in thateach of said devices (CE, PME) includes a memory inwhich a first mother key (KC) is recorded as regards the first devices(CE) and a second mother key (KP) is recorded as regards the seconddevices (PME); the memory of each first device (CE_(k)) also contains atleast one daughter key (KP_(ck)) defined on the basis of the secondmother key (KP) relating to the second devices (PME_(i)) and of anidentification datum (ck) assigned to this first device (CE_(k)); thememory of each second device (PME_(i)) also contains at least onedaughter key (KC_(pi)) defined on the basis of the first mother key (KC)relating to the first devices (CE_(k)) and of an identification datum(pi) assigned to this second device (PME_(i)); each device (CE_(k),PME_(i)) includes means for exchanging its identification datum (pi, ck)with an arbitrary device with which a common cryptographic procedure isto be implemented, and processing means for developing a daughter key(KP_(ck), KC_(pi)) on the basis of its mother key (KP, KC) and of theidentification datum received from the other device, to select fromwithin its memory the daughter key (KP_(ck)) corresponding to theidentification datum (pi, ck) received from the other device, and toassociate the two daughter keys constituted by (KP_(ck) ; KC_(pi))developed on the occasion of this procedure and the daughter keyselected (KP_(ck) ; KC_(pi)) to form a pair constituting said common key(K).
 7. The apparatus of claim 6, wherein each first device (CE) is anelectronic cash register disposed in a point of sale terminal, and eachsecond device (PME) is an electronic billfold constituted by a portableobject and assigned to a potential customer, the billfold being arrangedto calculate a debit certificate on the basis of data characterizing thetransaction or service in question and by means of a predeterminedalgorithm that as its key uses said common key (K), this certificatebeing transmitted to the electronic cash register, which verifies theauthenticity of the certificate by means of a predetermined algorithmthat as its key uses said common key (K).
 8. The method of claim 2,further comprising assigning a different identification datum to eachdevice of a set of devices.
 9. The method of claim 2, further comprisingdeveloping the first (KC_(g)) and second (KP_(f)) mother keys based ontwo respective different master keys (KCM, KPM).
 10. The method of claim3, further comprising developing the first (KC_(g)) and second (KP_(f))mother keys based on two respective different master keys (KCM, KPM).11. The method of claim 2, further comprising using an algorithm, fordeveloping the aforementioned different keys, that implements two keys(K₁₁, K₁₂) that as applicable comprise a master key or a duplicatemother key, or said common pair of daughter keys.
 12. The method ofclaim 3, further comprising using an algorithm, for developing theaforementioned different keys, that implements two keys (K₁₁, K₁₂) thatas applicable comprise a master key or a duplicate mother key, or saidcommon pair of daughter keys.
 13. The method of claim 4, furthercomprising using an algorithm, for developing the aforementioneddifferent keys, that implements two keys (K₁₁, K₁₂) that as applicablecomprise a master key or a duplicate mother key, or said common pair ofdaughter keys.
 14. The method of claim 8, further comprising using analgorithm, for developing the aforementioned different keys, thatimplements two keys (K₁₁, K₁₂) that as applicable comprise a master keyor a duplicate mother key, or said common pair of daughter keys.
 15. Themethod of claim 9, further comprising using an algorithm, for developingthe aforementioned different keys, that implements two keys (K₁₁, K₁₂)that as applicable comprise a master key or a duplicate mother key, orsaid common pair of daughter keys.
 16. The method of claim 10, furthercomprising using an algorithm, for developing the aforementioneddifferent keys, that implements two keys (K₁₁, K₁₂) that as applicablecomprise a master key or a duplicate mother key, or said common pair ofdaughter keys.